Solutions Buy Download Information Partners Support Forum About us «Doctor Web» company news (RSS channel)

April 2008 virus activity review from Doctor Web, Ltd.

May 12, 2008

As usual the virus monitoring service of Doctor Web, Ltd. кept a watchful eye over viral activities in April.

No doubt the discovery of a new modification of the malware classified by the Dr.Web as BackDoor.MaosBoot became the most notable event of the end of March and in the early April. The program belongs to the new class of viruses that combine features of an MBR virus and a rootkit. BackDoor.MaosBoot mainly targets computers of end users to obtain sensitive financial info. The virus has a long list of bank-client applications. The improved version of the malware easily obtains sensitive information using the list.

In the mid-April the virus monitoring service also detected a surged mailing of an almost forgotten Win32.HLLM.Limar downloader. Though the surge didn't turn into an epidemic, however, the implication was that spreading of the malware on a higher scale should not be ruled out.

Meanwhile, an event of the month is most certainly dispelling the myth that malware known as Rustock.C didn't exist. The virus monitoring service of Doctor Web, Ltd. actually nailed the long elusive rootkit that entered the Dr.Web database as Win32.Ntldrbot. The malicious code is used to turn PCs into spamming bots joined into a vast botnet. Moreover the catching virus was also capable of remaining completely undetected and so it did supposedly since October 2007! According to Secure Works the Rustock botnet is the third among largest botnets and can spam up to 30 billion messages every day. The network mainly advertises pharmaceutical products and securities.

Some features of Win32.Ntldrbot

  • Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult.
  • Implemented as a driver, it runs on the lowest kernel level.
  • Protects itself, prevents runtime changes.
  • Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won’t work, if the rootkit is running.
  • Intercepts system functions using non-standard method.
  • Functions as a file-virus and infects system drivers.
  • A particular sample of the rootkit becomes adjusts to the hardware of an infected machine and most likely won’t run on another computer.
  • Utilizes time-triggered reinfection feature. An old infected file is cured. So the rootkit "wonders" through system drivers infecting only one at a time.
  • Filters calls to an infected file, intercepts FSD-procedures of a file system driver and redirects a call to the original file instead of the infected one.
  • Features anti-rootkit protection.
  • Injects its library to one of the Windows system processes, so the library starts spamming. A driver is connected to the DLL using a special command transfer mechanism.
. It is very important that currently Dr.Web is the only anti-virus capable of detecting and curing a running Win32.Ntldrbot

April 2008 virus statistics

Table 1.Top 20 viruses detected on mail servers

 01.04.2008 00:00 - 13.05.2008 23:00 
1Win32.HLLM.Netsky.35328270654 (29.51%)
2Win32.HLLM.Netsky.based95383 (10.40%)
3Win32.HLLW.Autoruner.43773490 (8.01%)
4Win32.HLLM.MyDoom.based57639 (6.28%)
5Win32.HLLM.Beagle38671 (4.22%)
6Win32.HLLM.Netsky30887 (3.37%)
7Win32.HLLP.Sector30885 (3.37%)
8Exploit.MS05-05328784 (3.14%)
9VBS.Igidak26239 (2.86%)
10Win32.HLLM.Oder22487 (2.45%)
11Win32.Virut20823 (2.27%)
12Win32.HLLM.Perf17012 (1.85%)
13Win32.HLLM.Netsky.2406416739 (1.83%)
14Win32.HLLM.MyDoom.3380811208 (1.22%)
15Win32.HLLM.Netsky.280089592 (1.05%)
16Trojan.DownLoader.495869305 (1.01%)
17Win32.LazyAdmin.327688791 (0.96%)
18Win32.HLLM.Netsky.286728689 (0.95%)
19Trojan.Regger8657 (0.94%)
20Exploit.IframeBO8093 (0.88%)

Table 2. Top 20 viruses detected on PCs

 01.04.2008 00:00 - 13.05.2008 23:00 
1Trojan.Okuks.302184293 (33.03%)
2Trojan.Spambot.30991286403 (19.45%)
3Trojan.Click.17013501156 (7.58%)
4Trojan.Okuks.24172393 (2.61%)
5Win32.HLLM.Generic.440158366 (2.39%)
6JS.Nimda156129 (2.36%)
7Win32.Alman131706 (1.99%)
8Win32.HLLW.Autoruner.437107772 (1.63%)
9VBS.Generic.548104092 (1.57%)
10Adware.SaveNow.12891458 (1.38%)
11Win32.HLLP.PissOff.3686488904 (1.34%)
12Trojan.Recycle82489 (1.25%)
13Trojan.DownLoader.4958677948 (1.18%)
14Win32.HLLP.Jeefo.3635275027 (1.13%)
15BackDoor.Generic.113862350 (0.94%)
16VBS.Igidak49603 (0.75%)
17Win32.HLLP.Neshta48690 (0.74%)
18Win32.HLLM.Lovgate.247851 (0.72%)
19Trojan.NtRootKit.42546560 (0.70%)
20Win32.HLLW.Autoruner33661 (0.51%)



     Other news

2008-07-03June virus activity review from Doctor Web, Ltd.
2008-07-032000 companies using services of OBLTELECOM experience reliable anti-virus protection with Dr.Web
2008-06-30Dr.Web AV-Desk guards information of corporate customers of Newcom Port
2008-06-27Doctor Web, Ltd. establishes a subsidiary company in France
2008-06-27Dr.Web AV-Desk will remove malware from networks of Volkhov-Online
2008-06-26Dr.Web AV-Desk comes to Kyrgyzstan
2008-06-26Deployment of Dr.Web AV-Desk reduced the workload of Ufanet support service
2008-06-23Dr.Web AV-Desk will deliver "clean" Internet to 50 000 users in Moscow region
2008-06-19STREAM-TV Izhevsk employs Dr.Web AV-Desk
2008-06-18Dr.Web Enterprise Suite protects UAZ
2008-06-10Doctor Web, Ltd. releases SpIDer Mail 4.44.2.
2008-06-05May 2008 virus activity review by Doctor Web, Ltd.
2008-06-04AKADO chooses Dr.Web AV-Desk and recommends Dr.Web to its subscribers
2008-06-04Spam doesn’t always mean "malware”
2008-05-29Yandex recommends Dr.Web CureIt! to tackle malware faking web-pages
2008-05-27The new version of Dr.Web for Windows anti-virus scanner released
2008-05-26Izhevsk.net launches Dr.Web AV-Desk
2008-05-13April 2008 virus activity review from Doctor Web, Ltd.
2008-05-13Twenty five thousand subscribers of Eltel get protection by Dr.Web AV-Desk™
2008-05-07Dr.Web AV-Desk shields four hundred educational institutions of the Russian university network RUNNet
2008-05-06New version of Dr.Web anti-virus scanner for Windows released
2008-05-06Win32.Ntldrbot (aka Rustock.C) no longer a myth, no longer a threat. New Dr.Web scanner detects and cures it for real
2008-05-05Another 17 Russian cities get anti-virus as a service with Dr.Web AV-Desk
2008-05-04Protection against viruses and spam from Doctor Web, Ltd. and Sun Microsystems thoroughly tested
2008-05-04Another Russian ISP launches Dr.Web AV-Desk
   Information



   My five cents
 
What is the screen size of your monitor?

12''
14''
15''
17''
19''
more than 19''
other


Doctor Web, Ltd. © 2008 Doctor Web, Ltd. - a Russian company developing and distributing Dr.Web® Anti-virus solutions.
Our customers can be found among home users from all regions of the world and in large enterprises, small companies and nationwide corporations. We thank all of them for support and long-term devotion to our product. State certificates and awards received by the Dr.Web Anti-virus, as well as the geography of our users are the best evidence of exceptional trust to the products created by the talented Russian programmers.